Esc
Server Software Component - T1505
(ATT&CK® Technique)
Definition
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1505["Server Software Component"] --> |adds| WebScriptFile["Web Script File"]; class T1505 OffensiveTechniqueNode;
class WebScriptFile ArtifactNode; click WebScriptFile href "/dao/artifact/d3f:WebScriptFile";
click T1505 href "/offensive-technique/attack/T1505/"; click WebScriptFile href "/dao/artifact/d3f:WebScriptFile"; T1505["Server Software Component"] --> |modifies| MailServer["Mail Server"]; class T1505 OffensiveTechniqueNode;
class MailServer ArtifactNode; click MailServer href "/dao/artifact/d3f:MailServer";
click T1505 href "/offensive-technique/attack/T1505/"; click MailServer href "/dao/artifact/d3f:MailServer"; T1505["Server Software Component"] --> |modifies| WebServer["Web Server"]; class T1505 OffensiveTechniqueNode;
class WebServer ArtifactNode; click WebServer href "/dao/artifact/d3f:WebServer";
click T1505 href "/offensive-technique/attack/T1505/"; click WebServer href "/dao/artifact/d3f:WebServer"; T1505["Server Software Component"] --> |adds| MessageTransferAgent["Message Transfer Agent"]; class T1505 OffensiveTechniqueNode;
class MessageTransferAgent ArtifactNode; click MessageTransferAgent href "/dao/artifact/d3f:MessageTransferAgent";
click T1505 href "/offensive-technique/attack/T1505/"; click MessageTransferAgent href "/dao/artifact/d3f:MessageTransferAgent"; T1505["Server Software Component"] --> |adds| Software["Software"]; class T1505 OffensiveTechniqueNode;
class Software ArtifactNode; click Software href "/dao/artifact/d3f:Software";
click T1505 href "/offensive-technique/attack/T1505/"; click Software href "/dao/artifact/d3f:Software"; T1505["Server Software Component"] --> |produces| Process["Process"]; class T1505 OffensiveTechniqueNode;
class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process";
click T1505 href "/offensive-technique/attack/T1505/"; click Process href "/dao/artifact/d3f:Process"; T1505["Server Software Component"] --> |invokes| CreateProcess["Create Process"]; class T1505 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1505 href "/offensive-technique/attack/T1505/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1505["Server Software Component"] --> |creates| StoredProcedure["Stored Procedure"]; class T1505 OffensiveTechniqueNode;
class StoredProcedure ArtifactNode; click StoredProcedure href "/dao/artifact/d3f:StoredProcedure";
click T1505 href "/offensive-technique/attack/T1505/"; click StoredProcedure href "/dao/artifact/d3f:StoredProcedure"; DecoyFile["Decoy File"] -->
| spoofs | WebScriptFile["Web Script File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1505["Server Software Component"] ;
class DecoyFile DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | WebScriptFile["Web Script File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1505["Server Software Component"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | WebScriptFile["Web Script File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1505["Server Software Component"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1505["Server Software Component"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | Process["Process"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1505["Server Software Component"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | MessageTransferAgent["Message Transfer Agent"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1505["Server Software Component"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | Process["Process"];
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | MessageTransferAgent["Message Transfer Agent"];
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | WebScriptFile["Web Script File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1505["Server Software Component"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; ProcessSuspension["Process Suspension"] -->
| suspends | MessageTransferAgent["Message Transfer Agent"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1505["Server Software Component"] ;
class ProcessSuspension DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; ProcessSuspension["Process Suspension"] -->
| suspends | Process["Process"];
class ProcessSuspension DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | Process["Process"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1505["Server Software Component"] ;
class HostShutdown DefensiveTechniqueNode;
class Process ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; HostShutdown["Host Shutdown"] -->
| terminates | MessageTransferAgent["Message Transfer Agent"];
class HostShutdown DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | Process["Process"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1505["Server Software Component"] ;
class ProcessTermination DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessTermination["Process Termination"] -->
| terminates | MessageTransferAgent["Message Transfer Agent"];
class ProcessTermination DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; FileEviction["File Eviction"] -->
| deletes | WebScriptFile["Web Script File"];
FileEviction["File Eviction"] -.->
| may-evict | T1505["Server Software Component"] ;
class FileEviction DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | WebScriptFile["Web Script File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1505["Server Software Component"] ;
class FileEncryption DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; SoftwareUpdate["Software Update"] -->
| updates | StoredProcedure["Stored Procedure"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1505["Server Software Component"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; SoftwareUpdate["Software Update"] -->
| updates | Software["Software"];
class SoftwareUpdate DefensiveTechniqueNode;
class Software ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; CredentialScrubbing["Credential Scrubbing"] -->
| hardens | StoredProcedure["Stored Procedure"];
CredentialScrubbing["Credential Scrubbing"] -.->
| may-harden | T1505["Server Software Component"] ;
class CredentialScrubbing DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click CredentialScrubbing href "/technique/d3f:CredentialScrubbing"; VariableInitialization["Variable Initialization"] -->
| hardens | StoredProcedure["Stored Procedure"];
VariableInitialization["Variable Initialization"] -.->
| may-harden | T1505["Server Software Component"] ;
class VariableInitialization DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click VariableInitialization href "/technique/d3f:VariableInitialization"; TrustedLibrary["Trusted Library"] -->
| hardens | StoredProcedure["Stored Procedure"];
TrustedLibrary["Trusted Library"] -.->
| may-harden | T1505["Server Software Component"] ;
class TrustedLibrary DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click TrustedLibrary href "/technique/d3f:TrustedLibrary"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1505["Server Software Component"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | Process["Process"];
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | MessageTransferAgent["Message Transfer Agent"];
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1505["Server Software Component"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | WebScriptFile["Web Script File"];
class ExecutableDenylisting DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | Process["Process"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1505["Server Software Component"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | MessageTransferAgent["Message Transfer Agent"];
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | WebScriptFile["Web Script File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1505["Server Software Component"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | Process["Process"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1505["Server Software Component"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | MessageTransferAgent["Message Transfer Agent"];
class Application-basedProcessIsolation DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| restricts | StoredProcedure["Stored Procedure"];
class Application-basedProcessIsolation DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; LocalFilePermissions["Local File Permissions"] -->
| restricts | WebScriptFile["Web Script File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1505["Server Software Component"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1505["Server Software Component"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| isolates | Process["Process"];
class SystemCallFiltering DefensiveTechniqueNode;
class Process ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| isolates | MessageTransferAgent["Message Transfer Agent"];
class SystemCallFiltering DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreSoftware["Restore Software"] -->
| restores | StoredProcedure["Stored Procedure"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1505["Server Software Component"] ;
class RestoreSoftware DefensiveTechniqueNode;
class StoredProcedure ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreSoftware["Restore Software"] -->
| restores | Software["Software"];
class RestoreSoftware DefensiveTechniqueNode;
class Software ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreFile["Restore File"] -->
| restores | WebScriptFile["Web Script File"];
RestoreFile["Restore File"] -.->
| may-restore | T1505["Server Software Component"] ;
class RestoreFile DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreNetworkAccess["Restore Network Access"] -->
| restores | WebServer["Web Server"];
RestoreNetworkAccess["Restore Network Access"] -.->
| may-restore | T1505["Server Software Component"] ;
class RestoreNetworkAccess DefensiveTechniqueNode;
class WebServer ArtifactNode;
click RestoreNetworkAccess href "/technique/d3f:RestoreNetworkAccess"; RestoreNetworkAccess["Restore Network Access"] -->
| restores | MailServer["Mail Server"];
class RestoreNetworkAccess DefensiveTechniqueNode;
class MailServer ArtifactNode;
click RestoreNetworkAccess href "/technique/d3f:RestoreNetworkAccess"; EndpointHealthBeacon["Endpoint Health Beacon"] -->
| monitors | MailServer["Mail Server"];
EndpointHealthBeacon["Endpoint Health Beacon"] -.->
| may-detect | T1505["Server Software Component"] ;
class EndpointHealthBeacon DefensiveTechniqueNode;
class MailServer ArtifactNode;
click EndpointHealthBeacon href "/technique/d3f:EndpointHealthBeacon"; EndpointHealthBeacon["Endpoint Health Beacon"] -->
| monitors | WebServer["Web Server"];
class EndpointHealthBeacon DefensiveTechniqueNode;
class WebServer ArtifactNode;
click EndpointHealthBeacon href "/technique/d3f:EndpointHealthBeacon"; FileAnalysis["File Analysis"] -->
| analyzes | WebScriptFile["Web Script File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1505["Server Software Component"] ;
class FileAnalysis DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | Process["Process"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1505["Server Software Component"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | MessageTransferAgent["Message Transfer Agent"];
class ProcessLineageAnalysis DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] -->
| terminates | MessageTransferAgent["Message Transfer Agent"];
HostReboot["Host Reboot"] -.->
| may-evict | T1505["Server Software Component"] ;
class HostReboot DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; HostReboot["Host Reboot"] -->
| terminates | Process["Process"];
class HostReboot DefensiveTechniqueNode;
class Process ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; EmailRemoval["Email Removal"] -->
| may-access | MailServer["Mail Server"];
EmailRemoval["Email Removal"] -.->
| may-evict | T1505["Server Software Component"] ;
class EmailRemoval DefensiveTechniqueNode;
class MailServer ArtifactNode;
click EmailRemoval href "/technique/d3f:EmailRemoval"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | WebScriptFile["Web Script File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1505["Server Software Component"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class WebScriptFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | MessageTransferAgent["Message Transfer Agent"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1505["Server Software Component"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation";